Hope this is the right place... here goes.

Our college has Citrix XenCenter Enterprise and we have several RHEL ES 5.6 servers running now for various student and administrative functions. We know that XenCenter and the RHEL templates use vncserver as the root graphical console "0". We found, quite by accident, that we can also access the console "0" from an external VNC client with no password. This leaves us quite vulnerable. I've looked through all of the man pages and online to find a way to restrict access to console "0" from the local guest VM only and not from the world. I want to keep console "1" for use externally, though.

Does anyone have any ideas on now to accomplish this?

Scott,

One way to do this might be to restrict port 5900 on your host machine. VNC uses this for console 0 (and 5901 for console 1, 5902 for console 2, and so on). So you could do some stuff with your firewall to prevent the outside world from getting through to port 5900. If for some reason you don't wanna do that with port 5900, then you can also fire up your Xen instances and specify which ports you'd like to use for VNC.

So basically the idea is just do what you like restricting/granting etc. just by playing with your firewall configuration. Hope that helps.

I did as you suggested but in doing so I locked out the GUI console in XenCenter for that VM as well. As a temporary workaround, I went into the login options and disabled the more sensitive menu options (Reboot, Shutdown) so they would not be available in case anyone found console zero.

Any more suggestions guy and girls?